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Abstract. Ordinal automata are used to model physical systems with 
Zeno behavior. Using automata and games techniques we solve a con- 
trol problem formulated and left open by Demri and Nowak in 2005. 
It involves partial observability and a new synchronization between the 
controller and the environment. 

1 Introduction 

Controller synthesis. The synthesis of controller is today one of the most impor- 
tant challenges in computer science. Since RW89 different formalisms have been 
considered to model (un)controllable and (un)observable actions. The problem 
is well understood for finite systems admitting infinite behavior (indexed by to) 
PR89]. Recent developments concern extensions to e.g. infinite state systems or 
timed systems |BDMP03j . 

Transforming control problems into two-player games have provided efficient 
solutions |Tho95j . In this setting the controller is modeled by a player and the 
environment by her opponent. Determining whether a controller exists falls down 
to determine the winner and computing a winning strategy is equivalent to 
synthesizing a controller. 

Ordinal automata. A Biichi or Muller automaton, after reading an w-sequence, 
simply accepts or rejects, depending on the states visited infinitely often. In an 
ordinal automaton there is a limit transition to a new state, also depending 
on the states visited infinitely often and the run goes on from this state. This 
allows to model a system preforming co actions in a finite time and reaching a 
limit state. 

Systems with Zeno behaviors. When modeling physical systems we face the prob- 
lem that different components can have different time scales. For example the 
controller of an anti-lock braking system (ABS) is supposed to react much quicker 
than the physical environment. In the opposite one can consider physical sys- 
tems admitting Zeno behavior — infinitely many actions in a finite amount of 
time — whereas the controller is a computer with constant clock frequency. A 
simple example is a bouncing ball. Another one is the physical description of 
an electronic circuit which evolves much quicker than its logical description in 
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VHDL. The speeds are so different that one can consider that the former one 
evolves infinitely quicker than the latter one. 

Following this idea Demri and Nowak |DNQ5| have proposed to model phys- 
ical systems by ordinal automata, thus admitting ordinal sequences as behavior 
(typically of length u k ). They define a logic LTL(w fc ) as an extension of LTL 
to express properties of such systems. The controller should be a usual automa- 
ton whose execution is an w-sequence. The synchronization between controller 
and environment is the following: environment makes ut k ^ 1 steps "alone", then 
controller and environment makes one step together, and so on. 

Particularly in the context of timed systems, different techniques have been 
proposed to forbid or restrict Zeno behaviors, see introduction of |AFH + 03| for 
an overview. Our claim is that we want to allow Zeno behavior, to model them 
and express properties about them, and finally to control such systems. 

Our contribution. The main contribution of our article is a solution to the control 
problem stated and left open in |DN05) . Given a physical system modeled by an 
ordinal automaton and a formula tp of LTL(aj fc ) we want to determine whether 
a controller exists and synthesize one. The technique used is to transform the 
control problem into a game problem. Because of the unobservable actions and 
also because of the different time scales, the controller can not fully observe the 
current state of the system. For that reason we construct a game of imperfect 
information. Another difficulty is that the length of the interaction is greater 
than uj, but fortunately one can summarize co k ~ 1 steps done by the environment 
"alone" . Several games and automata techniques are used. 

Related work. It is known that games of imperfect information have higher com- 
putational complexity |Rei84| . Zeno behavior have already been considered in the 
literature. In BPOO languages of ordinal words accepted by timed automata are 
studied. In the framework of hybrid systems AM98 Bou99 or cellular automata 
on continuous time and space |DL05j it is known that allowing Zeno behaviors 
gives rise to highly undecidable problems. In DNQSj Demri and Nowak solve 
the satisfiability and the model-checking problem for LTL(w fc ): given an ordi- 
nal automaton reading cj fc -sequences and a formula determine whether every 
run of the automaton satisfies ip- F° r this they use a "succinct" form of ordinal 
automata to have better complexity bounds. 

Plan of the paper In the next section we present the temporal logic LTL(ui k ), 
ordinal automata and the control problem. We show a translation to first order 
logic. In Scction|3we solve our main problem. We first explain how to translate 
it to a game and why the controller has imperfect information about the system. 
An example is provided in Section 

2 Reasoning about transfinite sequences 

We assume basic knowledge about ordinals less than w", see e.g. [Ros82 . An 
ordinal is a well and totally ordered set. It is either or a successor ordinal of the 



form f3 + 1 or a limit ordinal. The first limit ordinal is denoted uj. For all ordinal 
a, f3 < a f3 *E a and a = {[3 : (3 < a}. In this article we restrict ourselves 
to ordinals less or equal than u u . By the Cantor Normal Form theorem, for 
all a < uj" there exists unique integers p, n\, . . . , n p and k\, . . . , k p such that 
fci > &2 > • • • > k p and a = uj kl n\ +uj k2 ri2 + ■ ■ -+uj kp n p . Recall e.g. that 2ui = uj 
and uj + to 2 = uj 2 . An ordinal a is said to be closed under addition whenever 
P,P' < a implies (3 + j3' < a. In particular for every a < uj" , a is closed under 
addition iff a is equal to uj@ for some (3 < uj or a — 0. In the following we will 
consider a logic whose models are uj k sequences for some k < uj. 

2.1 Temporal Logic 

We recall the definition of the logic LTL(a) introduced in l).\lf>| . For every 
ordinal a closed under addition, the models of LTL(a) are precisely sequences of 
the form a : a — > 2 AP for some countably infinite set AP of atomic propositions. 
The formulas of LTL (a) are defined as follows: <fi ::= p | ^0 | 0i A 02 
X^0 | 0iU^ 02, where p 6 AP, (3 < a and (3 1 < a. The satisfaction relation is 
inductively defined below where er is a model for LTL(a) and (3 < a: 

- a,(3\=piSpea((3), 

— a, (3 (= <pi A 4>2 iff a i P H 01 an d cr, (3 |= (f>2, cr,/3\= ->0 iff not a, (3 \= 0, 

- a,[3^yL '(pffia,j3 + l3' \= 0, 

— a,f3 \= 0iU^ 02 iff there is 7 < /?' such that a, /3 + 7 |= 02 and for every 
7' < 7, <r,/3 + 7' |= 0i. 

Closure under addition of a guarantees that (3 + (3' and /3 + 7 above are strictly 
smaller than a. Usual LTL is expressively equivalent to LTL(w): X is equivalent 
to X 1 and U is equivalent to U", conversely X™ and U n can be expressed in LTL. 
Standard abbreviations are also extended: F^0 = TU^ and G^0 = -></>. 
Using Cantor Normal Form it is easy to effectively encode an LTL(w fc ) formula 
for k < uj. We provide below properties dealing with limit states that can be 
easily expressed in LTL(uj k ) (k > 2). 

ll p holds in the states indexed by limit ordinals strictly less than uj k " : 

G" fc (X> A • • • AX u * _1 p). 

For 1 < k 1 < k — 2, "if p holds infinitely often in states indexed by ordinals of 
the form uj k x n, n > 1, then q holds in the state indexed by ui k +1 ": 

(G F u X" p) (X w g). 

2.2 Translation to First Order Logic 

In |DN05j it is proved that LTL(w") (hence also LTL(w fc )) can be translated 
to the monadic second order theory of (uj", <), which gives a non-elementary 
decision procedure for satisfiability BS73 . We improve this result by showing 
that LTL(w") can be translated even to the first order theory (FO) of (uj" , <). 



Proposition 1. For every LTL(w") formula there exists an equivalent first or- 
der formula over (cj w , <). 

It is open whether the converse also holds, extending Kamp's theorem Ka m68j . 

Proof (sketch). The main point is the definition of a formula +p(x,y) for some 
(3 <uj u such that (w w , <) |=„ +p(x,y) with v : {x,y} -> u> u iff v(y) = v(x) + (3. 
The relation \= v is the standard satisfaction relation under the valuation v. The 
formulas of the form +p{x,y) with j3 < uj u are inductively defined as: 

1. +o(x,y) = (x = y) , 

2. +i(x, y) = (x < y) A V z (z > x =>• y < z) , 

3- + w fc„+/3(x, y) = 3z + u k (x, z) A + w fc(„_i) +(3 (z, y) (n > 1, fe > 0) , 
4. + w fc (x, y) = (x < y) A Vz(x < z < y =>■ 3z'(+ w fc-i (z, z') Az'< y)) A 

Vy'[((x < y') A Vz(x < z < y' 3z , (+ u u-x(z,z') A z' < y'))) y < y'\ 

(k > 1) . 

For fc = 1, the latter formula is written in the following way. The ordinal y such 
that + tJ (x,y) holds is greater than a:, greater than every finite step successors 
of x, and y is the least ordinal satisfying this two conditions. By induction one 
can show that y > x + n for every n < lo. Analogously for k > 1, the formula 
implies that y > x + ui k ~ 1 n for every n < ui. □ 

The first order theory of (w u ,+) has a non-elementary decision procedure 
Mau96|. We are not aware of the exact complexity of the more restricted first 
order theory of (uj^, <). We use ordinal automata, both to model physical sys- 
tems and to represent specifications. 

2.3 Ordinal Automata 

Since Biichi in the 1960s and Choueka in the 1970s, different forms of ordinal 
automata have been proposed. A particular class of ordinal automata is well 
suited to solve our problem. See |Bed98| for the equivalence between different 
definitions. Ordinal automata has two kinds of transitions: usual one-step tran- 
sition for successor ordinals and limit transitions for limit ordinals where the 
state reached is determined by the set of states visited again and again "before" 
that ordinal. An ordinal automaton is a tuple (Q, S, E, I, F) where: 

— Q is a finite set of states, 

— £ is a finite alphabet, 

— 5 C Q x S x Q is a one-step transition relation, 

— E C 2*2 x Q is a limit transition relation, 

— / C Q is a finite set of initial states, 

— F C Q is a finite set of final states. 

We write q A q' whenever (q, a, q') G 5 and P — > q whenever {P, q) G E. 
A path of length a + 1 is an (a + l)-sequence r : a + 1 — > Q labeled by an 



a-sequence a : a —> E such that for every £ a, r(/3) — I r{(3 + 1) and for 
every limit ordinal j3 £ a + 1, there is P — » r(/3) £ £7 s.t. P = cofinal(f3,r) 
with cofinal(/3, r) = {q £ Q : f° r every 7 £ /3, there is 7' such that 7 < 7' < 
/3 and ^(7') = q}. The set cofinal(P, r) is the set of states visited again and again 
arbitrary close to /3 (hence infinitely often). 

If moreover r(0) £ /, it is a run. If moreover r(a) £ F, it is accepting. 

Example 1. We present here an example of ordinal automa- / — x ((2j) 
ton A with limit transitions {0} — > 1 and {0,1} — » 2. ( ) a 
One can show that L(^4) contains only w 2 -sequences and 
L(^) = (a" -5)^. 

For all k < oj there exists an ordinal automaton accepting exactly the sequences 
of length u> k , using k + 1 states. But if an ordinal automaton accepts a sequence 
of length w", then it must also accept longer sequences. That is a second reason, 
beside closure under addition, why we restrict ourselves to ordinals less than u u . 
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Level An ordinal automaton A — (Q, S, 5, E, I, F) is of level k > 1 iff there is a 
map I : Q — > {0, . . . , k} such that: 

— for every q £ F, l(q) = k; 

— q q 1 E S implies l(q J ) = and l(q) < k; 

— P — > q £ E implies l(q) > 1, for every q' £ P, l(q') < l(q), and there is 
q' £ P such that l(q') = l(q) - 1. 

The idea is that a state of level i is reached at positions (3 + j < to. 
Since VW86 , different techniques for translating logic formulas to automata 
are widely used. 



Proposition 2 ([DN05J). For all LTL(w fe ) formula, there exists an equivalent 
ordinal automaton. 



This result can be obtain by translating an LTL(w fe ) formula into an equiva- 
lent first order formula (or even monadic second order) and applying results 
from |BS73| . In |DN05| a succinct version of ordinal automata is defined to 
improve the complexity of the translation from non-elementary to polynomial 
(resp. exponential) space when integers in the formulas are encoded in unary 
(resp. binary). 



2.4 Control Problem 



Before we recall the control problem from |DN05| we need some preliminary 
definitions. In order for the physical system to evolve much faster than the 
controller we need a particular synchronization between them. 



Synchronous product. We define below the synchronous product of two ordinal 
automata having possibly different alphabets. They synchronize only on the 
common actions. This is used later to model unobservable actions. Let Si = 2 Acti 
for i — 1,2, a letter from Si is a set of actions. Given two ordinal automata 
Ai = (Qi, Si, Si, Ei, Ii, Fi), for i — 1,2, their synchronous product is defined as 
Aix A 2 = (Q, S, 5, E, I, F) where: 

-Q = QixQ 2 , S = 2 AoWAct 2 _ 

i \ a f i /\ _ c tt anActi , , aC\Act2 / 

- (9i,92) — > {<h,<h) e ift 9i * 9i and q 2 ► q 2 . 

— P — > (91, 92) G P iff there exists Pi — > q\ G Pi and P 2 — > 92 G P2 such that 
{9 : (9,9'} G P} = P and {<?' : (q,q') G P} = P 2 . 

-I = hxl 2 , F = F 1 xF 2 . 



Lifting. In order to synchronize the system with a controller working on u- 
sequences, we need to transform the controller so that its product with S only 
constraints states on positions uj k ^ 1 x n, n < u>. The other positions are not 
constrained. 

Let A — (Q, S, 5, E, I, F, I) be an automaton of level 1. We define its lifting 
lift k (A) at level k > 2 to be the automaton (Q', S, 5', E' , V , F', I') by: 

- Q' = {0, ...,k} x Q, I' = {k-l}xl, F' = {k}xF 

- l'((i,q'))=i, 

-5'= {(k-l,q)^{0,q>) : q ^ q> e 6}U 

{{%, q)^{0,q) : < i < k - 2, a G S, q F}, 

- E' = {{(0,q),...,(i-l,q)}^(i,q) : 1 < i < k, q G Q}U{{<0, 9l ), . . . , (k- 
1, 91), . . . , (0, q n ), . . . , (k - 1, 9n)} -> (k, 9) I {9l, ■ ■ ■ 9n} -> 9 G P}. 

Example 2. We present below an example of ordinal automaton A with limit 
transition {90,91} — * 92 and the corresponding automaton lift 2 (A) with limit 
transitions {(0,<j )} -> <l,9o), {(0, 91}} -> (l,9i), and 
{(0, 9o), (1, 9o), (0, 91), (1, 91), } — > (2, 52}- We omit useless transitions. 
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Proposition 3 ([DN05J). For all w G r w , w G L(Zi/S fc (.A)) iff tfte word u>' G 
i7", defined by w'(i) — w(uj k ~ 1 x i), is in L(A). 

A physical system S is modeled as a structure 



where As is an ordinal automaton of level k with alphabet 2 ct where Act is 
a finite set of actions, Act Q Act is the set of observable actions, Act c C Act 
is the set of controllable actions. The set Act\Actc of uncontrollable actions is 
denoted by Actnc- A specification of the system S is naturally an LTL(w fc ) for- 
mula ip. A controller C for the pair (S, ip) is a system whose complete executions 
are w-sequences (typically ordinal automata of level 1) verifying the properties 
below. 

(obs) Only observable actions are present in the controller. Hence, thanks to the 
synchronization mode, in the product system between S and C, unobservablc 
actions do not change the C-componcnt of the current state. So the alphabet 

of C is 2^°^o_ Moreover for every state q of C there is a transition q — > q. 
(unc) From any state of C, uncontrollable actions can always be executed: V<? • 

Va C Act \ Act c , there is a transition q — > q' in C such that b fl Actnc = a - 
(prod) Finally, the system S controlled by C satisfies ip. Because S and C work 
on sequences of different length, the controlled system is in fact equal to 
lift k (C) x S. So Uft k (C) x S \= ip should hold. This is equivalent to the 
emptiness of the language of the product automaton lift k (C) x S x A^. 

We say that C is a controller for S (without mentioning ip) if C fulfills the first 
two conditions. The notion of final state is not relevant for the controller or 
the physical system. To conform with previous definitions we require that every 
(u) + l)-run of the controller and (uj k + l)-run of S end in a final state. 

The control problem for LTL(w fc ) is defined as follows: 
input: a system S = (As,Act c , Act , Act) with ordinal automaton As of level 
k and an LTL(w' c ) formula ip over atomic formulas in Act. 

output: an ordinal automaton C of level 1 satisfying the conditions (obs), (unc) 
and (prod) above if there exists one. Otherwise the answer "no controller exists" . 

3 Solving the Control Problem 

Given a physical system S modeled by an ordinal automaton ,4s of level k and an 
LTL(w /c )-formula -0, we are looking for a controller C such that lift k (C) x As \= 
■tjj and C has the expected properties about uncontrollable and unobservable 
actions. 

From Control Problem to Game. Let B — lift k (C) x As x A-,^,. At a given point 
in a run of B the controller is in a state q. From q and for all o C Act Q (~1 Act nc 
it must have at least one transition labeled by o U c for some c C Act c . The 
most general form of a controller (possibly with infinite memory) is a function 
/ : (2 Act °)* x (2- 4c *° nAct "c) —s. 2 Act ', because the current state of the controller 
shall only depend on the past observable actions. This function is exactly a 
strategy in a game that we will define. A controller for (5,-0) is such that every 
run according to / is winning. 

Let A = As x A^. It is also an ordinal automaton of level k : A = 
(Q,S,5,E,I,F,l). We are looking for a controller C such that the language 



of lift k {C) x A is empty. We will consider a game where the environment tries 
to build an accepting run of A, whereas the controller tries to avoid that, using 
the controlled actions. In fact the environment plays both for the system S and 
for the automaton of -<ip, as we will see later. 



3.1 Some Definitions from Game Theory 

We recall some definitions about games. See for example Tho95 GTW02 for an 
introduction. An arena, or game graph, is a triple (Vb, V\,G), where V = Vq U Vi 
is the set of vertices and G C V x V is the set of edges. The vertices of Vb belongs 
to Player 0, those of V\ to Player 1 (Vb D V\ = 0). A play from v S V proceeds 
as follows: if v E Vb, Player chooses a successor v\ of vq, else Player 1 does. 
Again from v\ £ Vi, Player i chooses a successor v% of i>i, and so on. 

A play 7r = Vq, vi, V2, ■ ■ ■ is a finite or infinite sequence of vertices such that 
Vi, [vi, u-j+i) G G. If the play is finite, the convention is that the player who 
belongs the last vertex loses (he is stuck). If the play is infinite, the winner is 
determined by a winning set, Win C V w : Player wins an infinite play 7r if 
and only if 7r 6 Win. Usually Win is an w-regular set, defined by a Buchi, 
Rabin, parity or Muller automaton. One speaks also of winning condition. A 
game (Vb, Vi, G, Win) is an arena together with a winning condition and possibly 
an initial vertex vo <E V. 

For a game or an automaton, a Buchi condition is given by a set F C V of 
"final" vertices and it 6 Win if and only if Vi > 0,3j > i, tt, £ F. A Muller 
condition is given by T C 2 V , T = \F\, ■ ■ ■ , F n }, and ir £ Win if and only if 
the set of states visited infinitely often along ir is equal to one of the Fj's. 

A strategy for Player is a (partial) function / : V*V~o i— > V such that 
for every prefix vq,v\,V2, - ■ ■ Vi of a play, where Vi € Vb: f(vo v i v 2 • • • Wj) is a 
vertex Uj+i such that 6 G. A play 7r is played according to a strategy 

/o if yi,Vi £ Vq => Vi + \ = f{vQV\V2 ■ ■ - Vi). A strategy for Player 1 is defined 
analogously. A strategy of Player is winning if every play according to it is 
winning for Player 0. An important case in practice is when the strategy is 
positional: it depends only on the current vertex, not on the past of the play, 
i.e., for all v ,vi,v 2 , f(v Q viv 2 •••«») = /(«<)• 

From |Mar75| we know that every zero-sum two-player turn based game of 
complete information with Borel winning condition (including w-regular and 
many more) is determined: from a given initial configuration, one of the players 
has a winning strategy. 

In the case of incomplete information, the players do not in general know 
exactly the current position of the game. They only know that the position 
belongs to a certain set of uncertainty. The move chosen by a player (by his 
strategy) shall depend on this set, but not on the precise position of the play. As 
we will see in some cases one can transform such a game into a game of complete 
information, where a vertex represents a set of positions of the original game. 



3.2 A Solution With Incomplete Information 

Summarizing uj k ~ 1 steps. From the definition of lift k we see that the controller 
can act only every cu k ~ 1 steps of the environment. Our aim is to summarize 
oj k ~ 1 steps of the environment in a single step. One can compute a relation 
TZ C Q x 2 Q x Q such that (q, P, q') G TZ iff there exists in A a path from q to 
q' of length w fe_1 + 1 where the set of states seen along this path is exactly P. 
Note that to determine TZ, one has to look for cycles in A and states that are 
seen infinitely often, but in TZ itself we only need to know states that are ever 
visited. The reason is that (considering cofinal(uj k , r) ) it is not relevant to know 
that some state is visited infinitely often between e.g. cu k ~ 1 3 and u fc_1 4 and no 
more visited after Lo k ~ 1 4. Relation TZ can be computed in time 2°^®^ |Car02 | . 

Game. We introduce a game (£/) modeling the interaction between the controller 
(Cont) and the environment (Env). It is not possible in general for Cont to know 
exactly the current state of the system for several reasons. 

— Cont cannot know the uj k ~ 1 steps done by the environment without control. 

— As Env act, by choosing v C Act nc , Cont can only observe the actions that 
are in Act . 

— Moreover A is not necessarily deterministic. In particular it is possible that 
A-^tj, is not deterministic and Env has to "choose" which subformulas of ->tf> 
he wants to make true. 

— Also Cont cannot know exactly the initial state chosen by Env. 

In the game Q Cont has partial information: a position of the game is a subset 
Qi of Q, such that Cont knows that the current state of the system is in Qj, but 
does not know which state exactly. The game is defined by the following steps: 

1. i = and the initial position is Qa — 7, the set of initial states of A 

2. Env chooses o; C Act a n Act nc , 

3. Cont chooses Cj C Act c , 

4. there is a one step transition to 

Q'i = {<?' G Q : 3u C Act\Act , 3q e Q h q c -^^ q'}, 

5. there is a jump to Qi+i, summarizing cu k ~ 1 steps 

Q t+1 = {q e Q : 3q' G 3(q', P, q) G TZ}, 

6. i = i + 1, continue at point 2. 

In this game the knowledge of Cont about the current state is exactly what a 
controller can compute in the original problem, based on the observable actions. 
A play is essentially a sequence Qq, Q' , Qi, Q[, ■ ■ ■ (a more precise definition 
of the game graph is given below) and now it is more intricate to determine 
the winner. The sequence Qo, Q' , Qi, Q[, . . . represents the point of view of the 
controller, and we call it an abstract play. After the game is played a referee has to 



choose inside this abstract play a concrete path (if it exists one) go, q' , gi, q[, ■ ■ ■ 
such that qi £Qi 1 q[ £ Q\ and compatible to the sequence of Cj's and o^'s. That is 
to say one has to choose go € Qo, a sequence of elements Ui £ Act\Act such that 
Qi c,Uo,Uu \ q>. and elements (q-, P, g;) £ TZ. The sequence g , g , Po, gi, q[, Pi, . . . 
summarizes a run in .4 and we can determine if it is accepting, in which case 
Env wins the play. Note that for the acceptance condition of A it is relevant to 
know whether some q £ Q appears in infinitely many P^'s. Therefore the set of 
winning plays of Env can be defined by a non deterministic Muller automaton 
searching a concrete path, as we will see below, after we make some comments. 

The advantage that Env plays "abstractly" the game, and one selects a con- 
crete path only afterward is not unfair. Again we want a controller that is secure, 
and we worry if the environment could have won. And in the case that the con- 
troller does not have a winning strategy, it does not necessarily mean that the 
environment has one, but it means that there is a risk that the environment 
wins. This is related to the fact that games of incomplete information are not 
determined in general: it is possible that no player has a winning strategy. 

We now describe the automaton defining the set of winning plays and then 
the arena in more details. Note that the sequence Qo,Q' Q ,Qi,Q'i, ■ ■ ■ above is 
uniquely determined by the sequence Oo, Co, 0\, c\, . . . of actions chosen by Cont 
and Env. The state space of the automaton Awin recognizing the winning plays 
for Env is Q x 2*3. For all P ^ there is a transition (g, P) — ° (g', 0) if and only 
if 3u C Act\Act , 3 q cUoU "> g' in A and there is a transition (g', 0) —> (g, P) if 
and only if 3 (g', P, g) £ TZ. 

The automaton Awin non-deterministically guesses a run in A conforming 
to the sequence oq, cq, o%, Ci, . . . The acceptance condition of Aw in is the same 
as those of A: it can be seen as a Muller condition depending on the states 
appearing infinitely often in a run. It is given by a set of sets J- C 2®. The usual 
way to handle such a non-deterministic Muller automaton is to transform it into 
a non-deterministic Biichi automaton GT W021 Ch. 1]. The Biichi automaton 
B\Vin simulates Awin and guesses at some point which subset of states are 
going to be visited infinitely often and that other states are no longer visited. 
The state space of Bwin isQilQxJ 7 x(Q\J {g/}). It checks in turn that each 
state of the chosen acceptance component F £ T is visited infinitely often and 
it is not necessary to remember the whole (g,P) £ Q x 2^ of Awin- Using e.g. 
Safra's construction |GTW02l Ch. 3] one can transform the Biichi automaton 
Bwin into a deterministic Rabin automaton Cwin- Then the Index Appearance 
Record allows to have a deterministic parity automaton T>win |CjTW021 p. 86] 
|DkT98| . 

For defining the arena, we see that Cont and Env essentially choose the 
actions Cj and of. 

VEnv = 2 Actc , Vcont = 2 Act ° nActnc , G — (Veuv X Vcont) U {Vcont X Vehv) 

Now the product of the arena ( Veuv , Vcont , G) by the parity automaton T>win 
gives rise to a parity game on a finite graph. One can determine the winner and 
compute a positional winning strategy |CTW02l Ch.6,7] JPZ06 . Due to the 



synchronization between the arena and T>win, the set Veuv can be merged to a 
single vertex: it is not needed to remember the move of Cont because its effect 
on T>win is sufficient. In fact the successive sets Qq, Q'q, Qi, Q[, ■ ■ ■ of the above 
description are computed by T>w%n (thanks to Safra's construction already in 

Cwin)- 

Theorem 1. The control problem defined in Section \2.4\ can be solved in 2EX- 
PTIME. Moreover if a controller exists, then there is one with finite memory of 
double exponential size. 

The complexity is measured in the number \Q\ of states of A — As x A^. Recall 
that the usual control problem is 2EXPTiME-complete PR89 in the size of the 
system and the length of the formula. 

See Appendix for the proof. The idea is to prove the following facts. If the 
game Q is won by Cont then a controller for (<S, %p) exists, and it can be con- 
structed. Conversely if a controller for (S, ip) exists then Q is won by Cont. By 
construction a strategy for Cont in Q is a finite state automaton with expected 
properties about (un)observable and (un)controllable actions. Moreover if that 
strategy is winning, it defines a controller for (S,ip): every run of lift k (C) x S 
fulfills ip. Conversely, if a controller for (<S, ip) exists, possibly with infinite mem- 
ory, then this controller provides a winning strategy for Cont in Q. From the 
analysis above we know that if there is a controller for {S, ip) , then there is one 
with finite memory, and one can compute it. 



4 Example 

We illustrate our construction by a (slightly modified) example from |DN05| . 
The system is a bouncing ball with three actions lift-up, bounce and stop, where 
only lift-up is controllable, and only stop and lift-up are observable. The law of 
the ball is described by the following LTL(w 2 ) formula: 

4> = G" 2 (lift-up ^> X 1 (G u bounce A stop)) . 

Informally, <f> states that when the ball is lifted-up, it bounces an infinite number 
of times in a finite time and then stops. Equivalently the behavior of the system 
is modeled by the following ordinal automaton of level 2. 

stop {bounce, lift- up} 



A s 




{&}->, 
{0}-> s 
{s,b}^f 
{s,0,b}->f 

{stop, lift-up} { a , 0} -y f 



bounce 



The specification is given by the LTL(w 2 ) formula: 

ip = G W V bounce 



Informally, ip states that the ball should almost always be bouncing. In the 
following picture of the automaton A-,^, the star (*) stands for any subset of 
actions of Act. 



{bounce, *} 




We omit here the limit transitions. In the relation 1Z C Q x 2^ x Q the relevant 
elements are 



((Mi) ,{( b ,yi)}A s ,y^)) «o,2/i),{(o,m)}, (s,n u )) 

({b,m} ,{(b,m)}, {s,n u }) ((0,m) ,{(0,m}}, (s,n w )) 

((0,m) ,{(0,m) , (6,m)}, (s,n w )) 

If we construct the automaton Awin, we see that its (Muller) acceptance con- 
dition can be reduced to a Buchi condition. In the next figure the automaton 
V Win is simplified, and some unnecessary transitions are omitted. 

T>win Game graph 

{stop, lift-up} 



stop 





lift- up 



The winning strategy for Cont is: from cl always go to el. The corresponding 
controller for (S,ip) has essentially two loops on its initial state: one labeled 
{stop, lift-up} and one labeled {lift-up}. 



5 Perspectives 



It is open whether the upper bounds of Theorem ^ are tight, and whether one 
can find LTL-fragments or restrictions on the physical system such that the 
complexity of the control problem is lower. 

We would like to extend the previous results in two directions: to timed 
systems and to other linear orderings. Given a timed automaton, it is possible 
to determine whether it has Zeno behaviors. Our motivation is to extend the 
semantics such that after ui transitions there is a limit transition to a new control 
state and the new clock values are the limit of the former ones (see IBPOO) 1 ). 

A Zeno behavior is not necessarily an ordinal sequence, it can be a more 
general linear ordering (see |BG05| h One should extend the results to this more 
general class of automata. 

Acknowledgments. Great thanks to Stephane Demri and David Nowak for many 
interesting discussions, helpful comments on previous versions and for their help. 
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Appendix 



Correctness. We claim that the game Q is won by Cont iff a controller for (S, i/j) 
exists. 

If Q is won by Cont, we can compute a positional winning strategy for Cont. 
It consists for each position of Cont to have exactly one outgoing edge. Now one 
can remove these intermediate states and get a finite automaton (of size 
where the transitions are labeled by letter in 2 Act ° . This automaton is a controller 
C for (S,tp). It fulfills condition (obs) of Section 12. 41 clearly by construction, and 
condition (unc) because Cont chooses only controllable actions. Moreover the 
language accepted by C is disjoint from those of T>win and thus from those of 
Cwin, Bwin and Aw in- Finally the language of lift k (C) x S x A-,^ is empty. 

Conversely suppose that there exists a controller C for (S, ip) , possibly with 
infinite memory. The emptiness of lift k (C) x A is equivalent to The emptiness 
of C x Aw in and of C x T>win- It follows that C defines a winning strategy in the 
game Q. 

Complexity. The sizes, in number of states, are as follows: 

101 

O (\Q\ 2 = O (\Q\ 2 .2^ 

2 0(|Sw*n|.log(|Bwin|)) _ 2 0(lQ| 3 - 2lQ ') 

But the number of Rabin pairs of the acceptance condition oiCwin is in O (\Bwin\)- 
\V win \ = \C win \.2°^\^ B ^m hence \V Wm \ = 2°(^ aIQI ) 

The size of T>win is exponential only in the number of Rabin pairs of the ac- 
ceptance condition of Cwin- The number of priorities of the parity automaton 
Dwin is in 0(|23wi„|). Now the number of vertices of the game graph is 

n = \V Wm \.(\Vcont\ + 1) = 2 °(l ( 3l 3 - 2lQI ).2^ n ^ 
the number of edges is 

m = \Vwin\-\Vcont\-(\VEnv \ + 1) 

and the number of priorities 

d = 0(\Bwin\) ■ 

The number of priorities of the parity game is very low compared to the number 
of states. In such a case the best known deterministic algorithm for solving parity 
games is polynomial in the size of the graph, and exponential in the number of 
priorities, see |JPZ06| and references therein. The time complexity is in: 



\&Win\ = 
\Cwin\ = 



which is here in 



HW (2^' « ra )|^„,|) 0(l01 " . 

|V B „,|2°0«l , -«" ,l )|Vfc < „|°(l«l"-»"") = 
2|Act c | 2 C'(lQI 8 .8i Q i)2C'(l^ct nAct„ c |.|Q| 2 .2i«i) 

The result of the algorithm is a positional winning strategy for the winner. In 
other words it is a finite graph also with n vertices. In the case that Cont wins 
the game, it defines directly a controller for (5, ip) with at most n states. More 
precisely the transitions of the controller are labeled by letters from 2 Act ° and 
we do not need the intermediate states representing the moves of Env, so the 
controller has at most \T>win\ states and |XVm|-2'" 4ct ° nylct ™ c ' transitions. 



